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Alert Number 

MC-000076-MW 


In furtherance of public-private partnerships, the FBI routinely advises private 
industry of various cyber threat indicators observed during the course of our 
investigations. This data is provided in order to help cyber security 
professionals and system administrators to guard against the persistent 
malicious actions of cyber criminals. 


WE NEED YOUR 
HELP! 

If you find any of 
these indicators on 
your networks, or 
have related 
information, please 
contact 
FBI CYWATCH 
immediately. 
Email: 

cywatch@ic.fbi.gov 

Phone: 

1 - 855 - 292-3937 


This FLASH has been released TLP: GREEN: The information in this product is 
useful for the awareness off all participating organizations within their sector 
or community, but not via publicly accessible channels. 

Identification of ransomware variant called 
Locky 

Summary 

The 'Locky' malware is a ransomware variant, which has extensively utilized spam 
campaigns to distribute malicious files that download and execute code capable 
of encrypting numerous critical file types on both local and networked file stores. 
Encrypted files are renamed with a unique hexadecimal filename and receive the 
".locky" extension. Each directory containing encrypted files contains instructions 
on how to utilize Bitcoin in order to pay a ransom for file recovery, and the 
system's computer background is also changed to contain payment instructions. 
Recovery of encrypted files is impossible without data backup or acquisition of 
the private key due to the well-implemented, strong encryption. Historically, 
while payment of the ransom may result in receipt of the valid private key, 
enabling decryption of the targeted files, the FBI does not recommended the 
victim pay the ransom. 


*Note: By reporting any 
related information to FBI 
CyWatch, you are assisting in 
sharing information that 
allows the FBI to track 
malicious actors and 
coordinate with private 
industry and the United States 
Government to prevent future 
intrusions and attacks. 


Technical Details 


In early 2016, a destructive ransomware variant, Locky, was observed infecting 
business computers in the United States, New Zealand, Australia, Germany, and 
the United Kingdom. It propagates through spam e-mails that include malicious 
Microsoft Office documents and JavaScript or compressed attachments (e.g., .rar, 
.zip). The infection vectors are similar to the Dridex banking Trojan and Pony 
loader. The malicious attachments contain macros or JavaScript files to download 
the Locky files. Locky has also been distributed via the Neutrino and Nuclear 
exploit kits. Locky is based on an affiliate model. The developers of Locky offer it 
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as a service, and the FBI currently assesses that it is the responsibility of the individual affiliate to distribute the 
malware, resulting in the variety of attack vectors mentioned above. 


The malicious Microsoft Office documents contain macros with obfuscated Visual Basic Script (VBS) and/or batch files, 
which result in the download and execution of the Locky executable. The malicious JavaScript files are delivered via zip 
files in e-mail, which results in the download and execution of the Locky executable. Once executed, Locky establishes 
persistence via a Run key within the registry and attempts to delete shadow copies using the vssadmin command, and 
encrypt user space files, such as documents, media files, archives, source code, and other critical files. 

Locky communicates with a hard coded command and control server to inform the operators of a successful infection 
and to obtain encryption keys and a unique victim identifier. Additionally, Locky contains a domain generation 
algorithm, which will generate additional domains for communication with the command and control infrastructure. 
Network requests typically include http POSTs to files, such as main.php, submit.php, or most recently, userinfo.php, 
and updated Locky variants encrypt command and control communications. 

An updated complete list of indicators for known domains, e-mail subject lines, URLs, Hash data, and associated files 
is attached to this e-mail. 

Recommended Steps for Prevention 

• Implement an awareness and training program. Because end users are targeted, employees and individuals 
should be made aware of the threat of ransomware and how it is delivered. 

• Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound 
e-mail using technologies, like Sender Policy Framework (SPF), Domain Message Authentication Reporting and 
Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing. 

• Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end 
users. 

• Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans. 

• Manage the use of privileged accounts. Implement the principle of least privilege: no users should be assigned 
administrative access unless absolutely needed; those with a need for administrator accounts should only use 
them when necessary. 

• Configure access controls, including file, directory, and network share permissions, with least privilege in mind. 
If a user only needs to read specific files, they should not have write access to those files, directories, or shares. 

• Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open 
Microsoft Office files transmitted via e-mail instead of full office suite applications. 

• Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from 
common ransomware locations, such as temporary folders supporting popular Internet browsers or 
compression/decompression programs, including the AppData/LocalAppData folder. 

• Implement application whitelisting; only allow systems to execute programs known and permitted by security 
policy. 

• Categorize data based on organizational value, and implement physical/logical separation of networks and 
data for different organizational units. 
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Recommended Steps for Remediation 


• Isolate the infected computer(s) immediately. Infected systems should be removed from the network as soon 
as possible to prevent ransomware from attacking network or share drives. 

• Do not clean or re-image the infected computer(s) until you have completely recovered from the event. It may 
be critical to have the infected computer to recover from the incident if other avenues of recovery fail or are 
not available. 

• Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to 
report a ransomware event and request assistance. 

• Implement your security incident response and business continuity plan. Ideally, organizations should ensure 
they have appropriate backups, so that their response is simply to restore the data from a known clean 
backup. 


The following information is being requested of victims of Locky infections when reporting to law enforcement: 

1. Detailed victim information, to include organization name, sector, and technical POC. 

2. Original e-mail(s) with full headers and any attachments (assuming phishing attack vector) or network traffic 
information from exploit kit attack vectors. 

3. Copies of any executables or other files dropped onto the system after accessing malicious attachments. 

4. Any domains or IP addresses communicated with just prior to or during infection. 

5. The "personal identification ID" as specified in the ransom text/image. 

6. The Bitcoin wallet ID to which payment is requested, and the amount being requested. 

7. If a ransom was paid, the amount, and the Bitcoin wallet ID from which the payment was made. 

8. If available, any forensic analysis or incident response reports completed. 

9. If available, any memory captures taken during execution of the malware. 

10. Status of the infection. 

Reporting Notice 

The FBI encourages recipients who identify the use of tool(s) or techniques discussed in this document to report 
information to their local FBI field office or the FBI's 24/7 Cyber Watch (CyWatch). Field office contacts can be 
identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or by e-mail at 
CyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of activity, 
number of people, and type of equipment used for the activity, the name of the submitting company or organization, 
and a designated point of contact. 
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Your Feedback on the Value of this Product Is Critical 

Was this product of value to your organization? Was the content clear and concise? 
Your comments are very important to us and can be submitted anonymously. Please 
take a moment to complete the survey at the link below. Feedback should be specific to 
your experience with our written products to enable the FBI to make quick and 
continuous improvements to such products. Feedback may be submitted online here: 

https://www.ic3.gov/PIFSurvey 

Please note that this survey is for feedback on content and value only. Reporting of 
technical information regarding FLASH reports must be submitted through FBI CYWATCH. 


The information in this FLASH was obtained through an FBI investigation and is provided in conjunction with 
the FBI's statutory requirement to conduct victim notification as outlined in 42 USC § 10607 


TLP: GREEN 





